Session time was not set in FortiGate admin console.
The session timeout setting is used to determine if an administrative or user session is no longer being used, enabling a device to determine when a session can be automatically disconnected. A session could become unused if an administrator has not properly terminated and remains authenticated or if they leave their computer unattended without terminating their session.
An attacker could be able to access a system using an authenticated session that is no longer being used. The attacker would then be able to perform information gathering, configuration and other malicious activities under the context of the previous authenticated user. Due to the nature of the access, this could be an administrative level of access.
I recommends that a timeout period of 10 minutes should be configured for all sessions.
The administration connection timeout on Fortinet FortiGate Firewall with UTM FG200B devices can be configured using the following commands:
Performed below commands
config system global
set admintimeout minutes